French spooks behind latest malware

peter_sellers_3918It seems that the French are not going to stand idly by while other nations spies get all the attention for creating spyware.

Cyphort Labs found a cyber-espionage tool of the kind a nation state would be behind which invades Windows desktop machines and aims at extracting almost anything of value: it steals data from instant messengers, softphones, browsers and office applications.

Dubbed ‘Babar64’  the malware is believed to have been written by French intelligence.

It is a natty bit of code. It logs keystrokes, taking screenshots, steams audio from softphone applications, nicks clipboard data and can steal the names of desktop windows.

The malware creates an invisible window, with no other purpose than to receive window messages. By processing the window message queue it filters out input events and dispatches them to a raw input device object. Said object is configured to grab keyboard events through GetRawInputData.

Babar has two hard coded C&C server addresses included in its configuration data — http://www.horizons-tourisme.com/_vti_bin/_vti_msc/bb/index.php and http://www.gezelimmi.com/wp-includes/misc/bb/index.php

The domain horizons-tourisme.com is a legitimate website, operated by an Algerian travel agency, located in Algiers. The website is in French and still online today. Gezelimmi.com is a Turkish domain, currently responding with an HTTP error message 403, access not permitted. Both domains appear to be of legitimate use, but compromised and abused to host Babar’s server side infrastructure.